Most people are aware of terms like phishing and malware, but do you know those are a part of a larger scheme called social engineering? This is not a new kind of fraud; in fact, it’s been used for many years to manipulate a wide range of people into giving up important data about themselves or the workplace. A prime example of social engineering goes back to Greek mythology with the Trojan horse. They infiltrated the city of Troy with a “peace offering” filled with soldiers, thus winning the war. With technology at the forefront of our lives, social engineering has entered a new era. Physical human interaction is not necessarily required anymore. These criminals can gain information through emails, pop-ups, and public Wi-Fi networks, to name a few. The main objective is to influence, manipulate or trick users into giving up privileged information or access within an organization. They are doing this right under your nose, and if you’re not paying attention, you will be a victim of this as well.

On April 29th, one of the largest fuel pipelines in the U.S, Colonial Pipeline Co. was hacked, which led to major shortages in fuel across the East Coast. New information came out this weekend regarding what may have led to the weak spot in Colonial Pipelines system resulting in the attack on their network. Apparently, an old account was not decommissioned correctly and still had access to the network by virtual private network (VPN). As a result, a hacker was able to obtain the password from the dark web and used their illicit access to demand cryptocurrency in return of the Colonial Pipeline system. Colonial paid the hackers $4.4 million in order to avoid confidential information from getting leaked.

When it comes to external threats, there is a lot to know. An external threat is when someone from outside the company uses malicious software or hacking as a way to take advantage of system vulnerabilities. As a managed service provider, we get a lot of questions from our clients on external threats, so we decided to use our experience and knowledge to help educate users on the most common forms of external threats, ransomware and phishing. The first step to combating external threats, is understanding them.

What are insider threats? Internal threats occur when users, who have authorized access to an organizations internal information, data centers, and computer systems, abuse this privilege. With great intellectual power comes great responsibility. Insiders who misuse their access privileges have the ability to commit fraud, intellectual property theft, data leaks, or release of trade secrets. The misuse or abuse of sensitive data can be a massive risk for companies.

It was me. I am writing from the perspective of an intern who fell for a phishing scam, which is a type of social engineering attack, despite having gone through copious amounts of cybersecurity training. I will be sharing my thoughts and experiences on the timely issue in the hope that it will help deter you from making the same mistake. What is Phishing? Phishing, also called credential phishing, is a method that hackers use to gather a person's personal information through deceptive emails and websites. To do this a hacker will send out an email and they will appear to be a user of a reputable company or a familiar contact. The email will usually contain a request or a link that the hacker has set to look like a legitimate website, so that they get you to click on it. The website will ask you to “log-in” or provide personal information. The login credentials and personal information are then captured, and the hacker can begin to use the information they gathered to gain access to your company servers, resources, applications, and more. Phishing Emails are On the Rise Phishing scams are becoming increasingly prevalent, especially during the Covid-19 pandemic. Attacks have significantly increased on devices as more people begin working remotely. Being a victim of a phishing attack is nothing to be embarrassed about. As technology becomes more advanced and hackers are getting more skilled at sending personalized emails, it is getting harder and harder to recognize. Even the most secure companies cannot block all phishing attempts without the risk of blocking real business emails. For this reason, it is important to spread awareness about different phishing experiences people have had, including my own. Before I get into my story, I will point out that I was trained to look for red flags of phishing attacks and how to avoid getting scammed in both the past and during my internship onboarding. With that being said, I still seemed to find myself a predicament that so many had tried to help me avoid. The Time I Fell for a Phishing Scam Last summer while working as an intern, I had my first phishing scare. It was about one month in my internship, I went into the office, checked my computer, and saw an email from my company's CEO. This is not typical, so I should have been a little suspicious, but coincidentally I had just met the CEO for the first time the day before when he visited our Boston office. For this reason, I thought it made sense that he might be reaching out to ask me for a favor. In the email “Lou,” our CEO, asked me to purchase several gift cards that he would be surprising the sales team in the afternoon. He asked that I not tell anyone so that it could remain a surprise. As a college intern, I was not in the place to make this large purchase, but “Lou” informed me that after I bought the gift cards I would be fully reimbursed immediately. I still did not feel comfortable doing this, but “Lou” insisted and said I would be doing him a huge favor. He was putting me in a very tight spot which did not seem characteristic of him. Before heading out to secretly purchase them, I decided I should run it by one of my co-workers. He came over to my desk, to look at the email I had been sent, and he began laughing. I looked back at him, both confused and unamused. “What’s so funny!?” I said, to which he replied “Sarah, this is not Lou Usherwood- it’s a phishing scam.” I showed him the thread of messages and the signs of a phishing scam quickly began to reveal themselves. He pointed out that the email address did not match his usual company email address. That is when I realized I had fallen victim to my first phishing scam. Lessons Learned Although I was a victim of a phishing scam, the gift card scheme was both a minor incident and a thankfully unsuccessful attempt compared to what could have happened. Clicking on a link and beginning a ransomware attack or sending a wire fraud could have also easily been the outcome. It is extremely necessary to take precautions and become more educated in how to identify and avoid a phishing attack. Training your entire workforce using professionally developed phishing awareness courses will be crucial to your cybersecurity strategy. Everyone from a summer intern to the lifelong CEO should be required to take these phish trainings, as anyone can become a victim. Risk and mitigation of phishing attacks must be top of mind all the time when employees open emails. I hope my story will help you or someone you know prevent harm due to a phishing attack. How to Implement Phishing Tests for Employees Outsourced IT services are great resources that will offer recommended controls/protocols for phishing attacks. Some of the biggest red flags to look for included in the acronym S.L.A.M. or Sender, Links, Attachments, and Message. Read more about these signs in our blog: SLAM Dunk Your Email Security with These 4 Rules to Live By. Updated training modules, tests, and other phishing attack tools can help prevent phishing attacks from becoming successful. Phishing prevention starts at the top, so make sure to educate your leadership on types of attacks targeting high-ranking personnel (whaling attacks or spear phishing). Awareness and education are your first line of defense against cyber attackers. If you're interested in stepping up your cybersecurity game with an experienced security team, click the button below to explore the possibilities.

When we think of the dangers of "hacking," we often visualize our desktop computers as the victim. As a result, companies and individuals have taken extensive measures to protect this information, and rightfully so. The issue, however, is that as computers remain in the spotlight, sophisticated hackers have found a way to access a far less obvious object, the printer. Within the US, UK, France, and Germany, 60% of businesses have suffered from print-related data breaches within the last year.

So, your organization has decided to work from home, likely in response to COVID-19 and the pandemic we are all facing. I know, you were expecting pajama pants, slippers, and total comfort. Turns out that, while yes you have those things, it’s just like regular work. Only now it feels like you were separated from the group, almost as if you did something wrong. On top of that? What about security? Are we not facing the ever-present threat of that bad guys trying to get at our personal info, and other protected data? Well there are steps we a can take, even with working from home, to keep out network safe. This list was compiled with that in mind. So, sit back, sip your coffee, and enjoy those PJ’s and slippers while we review some things that can keep your work at home secure. The Checklist: As COVID-19 continues to spread our goal is not only to enable work from home safely, but to enable continued service to our clients. So, lets start our list in the most basic of places. 1. Have a remote accessible workspace available to your staff This can mean several things. VPN, RDP, or even cloud collaboration spaces. I know this seems like a “have you check to make sure its plugged in” kind of moment but this is important to mention. Not everyone knows where to start (and that’s ok). It should have access to email, documents, and work important files. It should be protected by multi-factor authentication. This may be the most important point. Make sure your staff knows how to get to it and use it! 2. Consider using video calling Working from home doesn’t have to mean absence from meetings, 1 on 1’s, and even co-worker conversation. Seeing and being seen can be powerful when you consider the alternative. Yes, this means you must wear pants, but it also means that the common side-effect of feeling disconnected while at home can be managed better when you can reach out to others and see them too. This approach may involve licensing (Teams or something similar) Avoid using “free” programs as they are often not secure. 3. Prepare your staff for working from home Make sure they have access to phone numbers, voicemail, and whatever communication methods your organization uses. In addition, the security that goes along with those things outside of the building. Wearing jammies is no excuse for no security. Do not share passwords, or other means of access, with family members. Do not leave sensitive paper documents laying around. Make sure PC’s/laptops/devices have latest patches. Use only secure WIFI, not public or open WIFI. 4. Understand that remote workers are a security risk Not because they are bad pantsless people. No, but their PC’s and devices are often already victims of things like malware or worse without them having any idea. This is especially the case when the PC in question is shared with other family members. Personal PC’s often do not have the same protections and patches in place. Be ready for that and address it ASAP Store client info and work-related info on digital workspaces only. Not locally on your home PC. Not in un-approved cloud storage services. Do not send (or allow to be sent) client or work info through personal email. Use strong passwords, I know we all hate them but it’s important. Change passwords often! Every 90 days at least. This is worse than strong passwords, but again its important. Use encryption where possible. Bitlocker, or something like it, would work. Begin cybersecurity training, and simulated phishing. The bad guys will take advantage of this disruption to our day to day and the security wrinkles its creating. 5. IT should now be at red alert Yeah you heard me. Shields up, photon torpedoes loaded. It doesn’t matter if your IT is internal or an MSP, this is the time to be extra vigilant. Keep watch for any sort of anomaly that could be evidence of hacking, intrusion, or viruses. Logs are vital for information that could be useful in the event of any issues. Keep an even closer eye on your remote users. Consider testing your security protocols and keep testing them. Find those holes before the bad guys do. This list is by no means all encompassing. There are other things to be mentioned. Cyber security insurance, which is a good idea. Make sure it covers social engineering and make sure it’s enough coverage. Also, events like this are a good reason to look at your business continuity or disaster recovery policies. Make sure they are up to date and accessible, and that your team knows them and what’s expected.

Whether it's the end of Windows 7 support, or the inevitable invasion of snow zombies from north of the wall in Game of Thrones, we can all relate to impending dates of importance. Now that we have finally passed the end date of Windows 7 support - and we hope that means you no longer have any on your network- it’s time to focus on the next big thing for us here in New York State—the SHIELD Act. What is SHIELD? The SHIELD Act was signed into law in 2019 and will affect almost every business in New York State, and some outside as well. The scariest part isn’t even the requirements. It’s how few people know about it, and it goes into effect March 21, 2020. What is SHIELD? It’s an acronym for Stop Hacks and Improve Electronic Data Security. It’s like HIPAA, NIST, or California’s recent CCPA (California Consumer Privacy Act). It’s all about protecting personal information. How? There are several facets, or safeguards to the act. How to Achieve and Maintain Compliance Compliance is not a one-and-done task. It’s an ongoing process. It’s also important to emphasize that without documentation, there is no compliance. The SHIELD Act requires several documents to be maintained and readily available. The next step in preparing for SHIELD is to find a provider that can help guide you through the process. Or even better, one that can both guide and keep you compliant. Find a Provider With the Tools to Help Usherwood Office Technology is proud to offer compliance as a service for our managed services clients. That means documentation, and auditing so that we can be your watcher on the wall. Regardless of whether you partner with us, or another provider, the date is coming and soon we will all be held accountable. The time is now to take stock and secure your data. If you're ready to optimize your data security strategy, click the button below to speak to a cybersecurity expert.